b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n            Management Oversight Challenges Remain \n\n            for DHS' Intelligence Systems Information \n\n                  Technology Security Program \n\n\n                      Unclassified Summary\n\n\n\n\n\nOIG-09-30                                         February 2009\n\x0c                           Office of Inspector General\n        Management Oversight Challenges Remain for DHS\xe2\x80\x99 Intelligence Systems\n                    Information Technology Security Program\n                                  OIG-09-30\n\n\nWe evaluated the security program and practices for the Department of Homeland\nSecurity\xe2\x80\x99s Top Secret/Sensitive Compartmented Information systems according to\nFederal Information Security Management Act (FISMA) annual requirements. We\nfocused on the security program management, implementation, and system\nadministration of the department\xe2\x80\x99s intelligence systems. We primarily assessed the\ndepartment\xe2\x80\x99s Plan of Action and Milestones (POA&M), system certification and\naccreditation, and incident reporting processes, as well as its security awareness training\nprogram.\n\nThe objective of our evaluation was to determine whether the department is properly\nprotecting Top Secret/Sensitive Compartmented Information and the systems that support\nthe department\xe2\x80\x99s intelligence operations and assets. We assessed the effectiveness of the\ninformation systems security controls for the department\xe2\x80\x99s intelligence systems, and the\nremediation of the findings that we reported as a result of our Fiscal Year 2007\nassessment. This is the department\xe2\x80\x99s first year reporting on U.S. Coast Guard\xe2\x80\x99s (USCG)\nFISMA compliance. Fieldwork was conducted from May through October 2008, at the\nIntelligence and Analysis (I&A) and USCG.\n\nThe department continues to improve and strengthen its security programs for its\nintelligence systems. During the past year, the department finalized its Sensitive\nCompartmented Information Systems Information Assurance Handbook, which provides\ndepartment intelligence personnel with security procedures and requirements to\nadminister its intelligence systems and the information processed. The handbook is\naccompanied by policies and procedures pertaining to POA&M, incident reporting, and\nsystems security plan development processes. Additionally the department certified and\naccredited its classified network extension. Furthermore, USCG intelligence systems\nwere re-aligned under the purview of I&A. Subsequently, I&A accepted the existing\nUSCG\xe2\x80\x99s intelligence systems certifications granted by the Department of Navy.\n\nAs a direct result of I&A\xe2\x80\x99s efforts in addressing last year\xe2\x80\x99s systems security\nvulnerabilities and recommendations, DHS instituted a comprehensive vulnerability and\npatch management program. In implementing this program, DHS has significantly\nminimized the security risks associated with the department\xe2\x80\x99s intelligence systems. The\ndepartment addressed ten of the fourteen recommendations cited in our FY 2007 report.\n\n\n\n\n                                             1\n\n\x0cOverall, information security procedures have been documented and controls have been\nimplemented, providing an effective level of security for the department\xe2\x80\x99s intelligence\nsystems. Yet, the department has not fully addressed the issues and remaining\nrecommendations reported in our FY 2007 evaluation that remain open related to the\nPOA&M process, the development of a contingency/disaster recovery plan and testing of\ncontrols, and the implementation of a formal information system security education,\ntraining, and awareness program for intelligence operations and personnel. Further, I&A\nhas taken on the responsibility for the reporting of the USCG\xe2\x80\x99s compliance with the\nFISMA for its intelligence systems and should continue to provide management oversight\nto ensure that the USCG is maintaining its information technology security program. We\nrecommended that the Under Secretary for I&A address the open recommendations and\nthe Office of the Chief Information Officer address the system control issues that we\nidentified during our review.\n\nIn response to our draft report, I&A concurred with our recommendations. I&A provided\nproposed plans of actions to address each of our recommendations. Additional\nclarification was needed to address the completion dates or in refining corrective actions\nto fully satisfy the intent of the proposed recommendations. Through subsequent\ndiscussion, I&A fully agreed with our concerns and has changed their proposed\ncorrective actions. (OIG-09-30, February 2009, IT)\n\n\n\n\n                                            2\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"